And if so, NV storage seems not required any more under schemes without
RW slot.
Best regards,
Persmule ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, August 19, 2019 7:57 AM, Persmule persmule@hardenedlinux.org wrote:
Thanks. Though I would rather push a change ( https://review.coreboot.org/c/coreboot/+/34977 ) to make vboot step into "recovery mode" directly when no RW slots is present, since I believe letting vboot "verify" a non-existing RW slot is mostly pointless.
Is it convenient for me to bother you to review my change mentioned above?
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Sunday, August 18, 2019 4:43 PM, Michal Zygowski michal.zygowski@3mdeb.com wrote:
Yes, vboot requires NV storage to keep its context across boots, it is typically done in CMOS or SPI or EC memory. One of these 3 options must be selected.
For example, in your mainboard Kconfig you should have something like this:
config VBOOT bool default y select VBOOT_VBNV_CMOS select VBOOT_NO_BOARD_SUPPORT select GBB_FLAG_DISABLE_LID_SHUTDOWN select GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC select GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC select GBB_FLAG_DISABLE_FWMP select RTC
config VBOOT_VBNV_OFFSET hex default 0x2D8 if VBOOT
The options you have to select highly depend on the hardware you are trying to run vboot on. For example vboot can start in bootblock or in romstage (depends on C_ENVIRONMENT_BOOTBLOCK support for the microarchitecture). The example shows sample configuration for CMOS stored vboot flags, however following options for vboot storage are also available (and have their own dependencies as well):
- VBOOT_VBNV_EC
- VBOOT_VBNV_FLASH
I advise to look at src/security/vboot/Kconfig, help sections for the options might be helpful for you.